#!/bin/bash

## Author: congyang
## Time: 2021/06/02
## Version: 1.4
## Description: Secure hardening initialization script

if [ `id -u` != 0 ]; then
    echo -e "\033[43;30mPermission denied! Please use root user\033[0m"
    exit 1
fi

# 判断外网连通性
http_code=`curl -sIL -w "%{http_code}\n" -o /dev/null http://www.baidu.com`
if [ $http_code != 200 ]; then
    echo -e "\033[43;30mPlease check internet!\033[0m"
    exit 1
fi

function install_package() {
    yum update -y
    yum install -y gcc openssl openssl-devel perl perl-devel vim ntpdate
    echo "*/10 * * * * /usr/sbin/ntpdate ntp.api.bz > /dev/null 2>&1" >> /var/spool/cron/root
    ntpdate time1.aliyun.com

}

function init_security() {
    local timestamp=`date +%F-%T`

    cat >> /etc/profile <<EOF
export TMOUT=300
export HISTSIZE=0
umask 0027
EOF

    cat >> /etc/inittab << EOF
#禁止通过键盘(CTRL+ALT+DEL)进行重启
ca::ctrlaltdel:/sbin/shutdown -r -t 4 now
#确保在单用户模式下需要输入root密码
~~:S:respawn:/sbin/sulogin
EOF

    cat >> /etc/sysconfig/init << EOF
#linux的单用户模式
SINGLE=/sbin/sulogin
#禁止提示
PROMPT=no
EOF

    cat >> /etc/login.defs <<EOF
LOG_UNKFALL_ENAB yes
LOGIN_RETRIES 5
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 30
useradd -D -f 30
FAILLOG_ENAB yes
#su时限制用户环境变量
ALWAYS_SET_PATH=yes
EOF

    cat >> /etc/security/pwquality.conf << EOF
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
EOF

    cat >> /etc/pam.d/login << EOF
# 登陆失败超过5次锁定账户
auth required pam_tally2.so deny=5 unlock_time=120
EOF

    cat >> /etc/default/useradd << EOF
INACTIVE=35
EOF
    cat >> /etc/pam.d/passwd << EOF
# 限制口令长度以及复杂度
passwd required pam_cracklib.sotry_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
EOF

    mv /etc/security/limits.d/20-nproc.conf /etc/security/limits.d/20-nproc.conf.bak-$timestamp
    echo -e "*          soft    nproc     40960\nroot       soft    nproc     unlimited" >> /etc/security/limits.d/20-nproc.conf
    
    mv /etc/security/limits.conf /etc/security/limits.conf.bak-$timestamp
    cat >> /etc/security/limits.conf << EOF
# nproc 是代表最大进程数
# nofile 是代最大文件打开数
root hard nofile 65535
root soft nofile 65535
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
* - nofile 65535
* hard core 0
fs.suid_dumpable=0
EOF

    ##禁用cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf,vfat类型的文件系统
    cat >> /etc/modprobe.d/file_system.conf << EOF
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /hin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install usb-storage /bin/true
EOF
    echo -e "install fat /bin/true" >> /etc/modprobe.d/mount.conf
    chown root.root /etc/modprobe.d/file_system.conf
    chmod 600 /etc/modprobe.d/file_system.conf
    chmod 600 /etc/modprobe.d/mount.conf
}

function init_sys() {
    local timestamp=`date +%F-%T`
    cat >> /etc/systemd/system.conf << EOF
DefaultLimitCORE=infinity
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF
    cat >> /etc/systemd/user.conf << EOF
DefaultLimitCORE=infinity
DefaultLimitNOFILE=65535
DefaultLimitNPROC=65535
EOF
    cat >> /etc/pam.d/system-auth << EOF
# 配置密码复杂度
password requisite  pam_cracklib.so retry=3 difok=2 minlen=8 lcredit=-1 dcredit=-1
# 配置失败的密码尝试锁定
password require pam_pwquality.so try_first_pass retry=3
EOF
    cat >> /etc/pam.d/password-auth << EOF
# 配置失败的密码尝试锁定
password require pam_pwquality.so try_first_pass retry=3
EOF
    cat >> /etc/pam.d/sshd << EOF
# 暴力破解锁定账号
auth required pam_tally2.so deny=5 lock_time=2 even_deny_root unlock_time=60
EOF
    mv /etc/sysctl.conf /etc/sysctl.conf.bak-$timestamp
    cat > /etc/sysctl.conf << EOF
# 关闭 ipv6 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 内核放弃建立连接之前发送SYNACK/SYN包的数量
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
# 允许将TIME-WAIT sockets重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 30           # 设置TCP三次请求的fin状态超时
net.ipv4.tcp_keepalive_time = 600       # 设置TCP发送keepalive的频度
net.ipv4.tcp_syncookies = 1             # 加强对抗SYN Flood的能力
net.ipv4.tcp_keepalive_intvl = 2        # 探测包发送时间的间隔设置
net.ipv4.tcp_keepalive_probes = 2       # 客户端无应答，探测包的发送次数
net.ipv4.tcp_max_tw_buckets = 55000     # 系统同时保持time-wait的最大数量
net.ipv4.tcp_rmem = 4096 87380 4194304  # 接受数据缓冲区范围
net.ipv4.tcp_wmem = 4096 16384 4194304  # 发送数据缓冲区范围
net.ipv4.tcp_retries2 = 5               # TCP失败重传次数
net.ipv4.ip_local_port_range = 1100 65000       # 允许系统打开的端口范围
net.ipv4.tcp_max_orphans = 3276800              # 防止简单的DoS 攻击
net.ipv4.tcp_max_syn_backlog = 262144           # 表示SYN队列的长度
net.ipv4.icmp_echo_ignore_broadcasts = 1        # 避免放大攻击
net.ipv4.icmp_ignore_bogus_error_responses = 1  # 开启恶意icmp错误消息保护
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv6.conf.all.forwarding=0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 65535 # 系统同时发起的tcp连接数
net.netfilter.nf_conntrack_max=655350                    # 修改防火墙表大小
net.netfilter.nf_conntrack_tcp_timeout_established = 300 # 设置tcp确认超时时间
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 12    # 设置tcp等待时间
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60   # 设置tcp关闭等待时间
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120    # 设置tcp fin状态的超时时间
kernel.shmmax = 68719476736 #用户postfix邮件服务器
kernel.shmall = 4294967296
kernel.sysrq = 0            # 关闭sysrq功能
kernel.pid_max = 65536      # 允许更多的PIDs
kernel.core_uses_pid = 1    # core文件名中添加pid作为扩展名
kernel.msgmnb = 65536       # 修改消息队列长度
kernel.msgmax = 65536
fs.file-max = 65535         # 增加系统文件描述符限制
vm.swappiness = 0
vm.max_map_count = 262144
EOF
    sysctl -p && systemctl daemon-reload
}

function add_user() {
    useradd jvs_ops
    useradd jvs_usr -M -s /sbin/nologin
    mkdir -p /home/jvs_ops/.ssh
    cat >> /home/jvs_ops/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuPntzsGhGwNlBlJ0ZYxFFOe9NvQ0mhRQQ/Jhz+aPOiCJuiM79Oei7Y/hMok4P+TIejSIwHocwrdy9B0x6/iSQ2sbR+JR1OKx/YSXkBSzyak3WEkbeB8TJqcmGUzH48/+xxO6jPjw/Efih1uv6cWIwFBdKp4a+bplgTSHq98pDfMp4vi/Z7jNQLf7GHfrWMSdItLkadHbV+SxJDHn2pCL+nU39+y7XLJ+K3KGBrP2jmUW0bxjm0J7vGTqUSWsxZLdaPNAJ5q4PlDUg6Rk/4P74VBshuNdnIBWtr7XiR+wRECC0E00F62+DsRTe4TFcyX6zbbtcY56L1vBIDVgeOLQKQ==
EOF
    chmod 400 /home/jvs_ops/.ssh/authorized_keys
    chmod 700 /home/jvs_ops/.ssh
    chown -R jvs_ops.jvs_ops /home/jvs_ops/.ssh
    echo "jvs_ops ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
}

## 修改ssh配置
function change_ssh() {
    local timestamp=`date +%F-%T`
    mv /etc/ssh/sshd_config /etc/ssh/sshd_config-$timestamp
    cat > /etc/ssh/sshd_config << EOF
#ssh协议版本
Protocol 2
#日志级别
SyslogFacility AUTH
LogLevel VERBOSE
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#秘钥文件
AuthorizedKeysFile      .ssh/authorized_keys
IgnoreRhosts yes
#禁用密码登录
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Port 22222
#ssh采用 X 协议的第 11 个版本
X11Forwarding no
#设置ssh最大密码尝试失败次数3
MaxAuthTries 3
#ssh服务开启秘钥认证
RSAAuthentication yes
PubkeyAuthentication yes
#设置验证的时候是否使用“rhosts”和“shosts”文件
IgnoreRhosts yes
#禁用主机身份验证
HostbasedAuthentication no
#不允许空密码登陆
PermitEmptyPasswords no
UsePAM yes
UseDNS no
#禁止root登录
PermitRootLogin no
#禁止允许 sshd(8) 处理
PermitUserEnvironment no
#服务器端向客户端请求消息的时间间隔
ClientAliveInterval 300
#允许超时的次数
ClientAliveCountMax 0
#使sshd打印警告横幅
Banner /etc/issue.net
#在接受登录之前，使sshd检查文件模式以及用户文件和主目录的所有权
StrictModes yes
#设置为"no"，不允许TCP转发
AllowTcpForwarding no
#不允许代理转发
AllowAgentForwarding no
#禁止SSH端口转发功能远程登陆内网服务器
GatewayPorts no
#禁止tun(4) 设备转发
PermitTunnel no
#SSH远程登录显示自定义警告信息
PrintMotd yes
LoginGraceTime 60
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour
EOF
    systemctl restart sshd.service
}

function init_log() {
    cat >> /etc/rsyslog.conf << EOF
*.warning /var/log/syslog
# 记录守护进行产生的DEBUG日志
daemon.debug /var/log/daemon.log
# 记录cron守护进程产生的日志
cron.info  /var/log/cron
# 从内核发出的重要程度为emerg或alert的信息发送到控制台
kern.emerg /var/log/kern_emerg.log
kern.emerg /dev/console
# 设备内核时间重定向到本地日志文件并在控制台上显示
kern.* /var/log/kernel.log
# 邮件和认证设备事件被重新向到本地受限访问的日志文件上
auth.info;mial.info /var/log/secure.log
#确保已配置日志记录
*.emerg	:omusrmsg:*
mail.*		-/var/log/mail
mail.info	-/var/log/mail.info
mail.warning	-/var/log/mail.warn
mial.err		-/var/log/mail.err
news.crit		-/var/log/news/news.crit
news.err		-/var/log/news/news.err
news.notice	-/var/log/news/news.notice
*.=warning;*.=err	-/var/log/warn
*.crit 	/var/log/warm
*.*;mail.none;news.none	-/var/log/messages
local0,local1.*		-/var/log/localmessages
local2,local3.*		-/var/log/localmessages
local4,local5.*		-/var/log/localmessages
local6,local7.*		-/var/log/localmessages
#确保已配置rsyslog默认文件权限
\$FileCreateMode 0640
#确保仅在指定的日志主机上接受远程rsyslog消息
\$ModLoad imtcp
InputTCPServerRun 514
EOF
    systemctl restart rsyslog
    systemctl enable rsyslog

    #确保已配置日志记录
    mkdir -p /etc/syslog-ng
    cat >> /etc/syslog-ng/syslog-ng.conf << EOF
log {source(src);source(chroots);filter(f_console);destination(console);};
log {source(src);source(chroots);filter(f_console);destination(xconsole);};
log {source(src);source(chroots);filter(f_newscrit);destination(newscrit);};
log {source(src);source(chroots);filter(f_newserr);destination(newserr);};
log {source(src);source(chroots);filter(f_newsnotice);destination(newsnotice);};
log {source(src);source(chroots);filter(f_mialinfo);destination(mialinfo);};
log {source(src);source(chroots);filter(f_mialwarn);destination(mailwarn);};
log {source(src);source(chroots);filter(f_mailerr);destination(mialerr);};
log {source(src);source(chroots);filter(f_mial);destination(mail);};
log {source(src);source(chroots);filter(f_acpid);destination(acpid);flags(final);};
log {source(src);source(chroots);filter(f_acpid_full);destination(devnull);flags(final);};
log {source(src);source(chroots);filter(f_acpid_old);destination(acpid);flags(final);};
log {source(src);source(chroots);filter(f_netmgm);destination(netmgm);flags(final);};
log {source(src);source(chroots);filter(f_local);destination(localmessages);};
log {source(src);source(chroots);filter(f_messages);destination(messages);};
log {source(src);source(chroots);filter(f_iptables);destination(firewall);};
log {source(src);source(chroots);filter(f_warn);destination(warn);};
EOF
    #加载配置
    pkill -HUP syslog-ng

    #确保已配置所有日志文件的权限
    find /var/log -type f -exec chmod g-wx,o-rwx {} +

}

function stop_server() {
    for i in `chkconfig --list| grep "3:on" | awk '{print $1}' | grep -vE "crond|network|sshd|rsyslog"`
    do
        chkconfig $i off
    done

    # 关闭swap
    swapoff -a && sed -i 's/.*swap.*/#&/' /etc/fstab
    ## 关闭selinux
    setenforce 0 && sed -i s"/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
    #关闭相关服务
    systemctl stop cups.path
    systemctl stop cups.socket
    systemctl stop cups.service
    systemctl disable cups.service
    systemctl stop avahi-daemon.socket
    systemctl stop avahi-daemon.service
    systemctl disable avahi-daemon.service
    systemctl stop postfix.service
    systemctl disable postfix.service
    systemctl stop chronyd.service
    systemctl disable chronyd.service
    service bluetooth stop 
    systemctl disable bluetooth service
    ## 关闭firewalld
    systemctl stop firewalld.service
    systemctl disable firewalld.service

    #删除不需要的安装包
    yum remove telnet xorg-xll tcpdump-4.9.2* lsof-4.87 dhcp-libs-4.2.5* dhcp-common-4.25* mailx-12.5* bzip2-libs-1.0.6* gzip-1.5* unzip-6.0* iptables-1.4.21*

    #删除不需要的用户
    sed -i '/tcpdump:x:72:72/d' /etc/passwd
    sed -i '/ftp:x:14:50:FTP/d' /etc/passwd
    sed -i '/mail:x:8:12:mail/d' /etc/passwd
    sed -i '/games:x:12:100:games/d' /etc/passwd
    sed -i '/lp:x:4:7:lp/d' /etc/passwd
    sed -i '/postfix:x:89:89/d' /etc/passwd

    ##设置粘贴位，避免个人文件被他人修改
    chmod +t /tmp
    ##所有属主为root的目录必须设置属于root组，权限不能高于755
    find / -tpye d -perm 575 | xargs -0 chmod 755
    find / -type d -perm 777 | xargs -0 chmod 755
}

function init_file() {
    test -e /etc/motd || touch /etc/motd
    chown root:root /etc/motd && chmod 644 /etc/motd
    test -e /etc/issue || touch /etc/issue
    chown root:root /etc/issue && chmod 644 /etc/issue
    test -e /etc/issue.net || touch /etc/issue.net
    chown root:root /etc/issue.net && chmod 644 /etc/issue.net
    test -e /etc/cron.allow || touch /etc/cron.allow
    chown root:root /etc/cron.allow && chmod 644 /etc/cron.allow
    test -e /etc/at.allow || touch /etc/at.allow
    chown root:root /etc/at.allow && chmod 644 /etc/at.allow

    rm -f /etc/at.deny && rm -f /etc/cron.deny

    chown root:root /etc/anacrontab && chmod og-rwx /etc/anacrontab
    chown root:root /etc/crontab && chmod og-rwx /etc/crontab
    chown root:root /etc/cron.d && chmod og-rwx /etc/cron.d
    chown root:root /etc/cron.hourly && chmod og-rwx /etc/cron.hourly
    chown root:root /etc/cron.daily && chmod og-rwx /etc/cron.daily
    chown root:root /etc/cron.weekly && chmod og-rwx /etc/cron.weekly
    chown root:root /etc/cron.monthly && chmod og-rwx /etc/cron.monthly

    cat >> /etc/audit/audit.rules << EOF
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/tallylog -p wa -k logins
#收集修改日期和时间信息事件
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stiome -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
#收集了修改用户/组信息得事件
-w /etc/group -p wa -k dientity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
#确保收集了修改系统网络环境的事件
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=32 -S sethostname -S setdomainname -k ststem-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p -wa -k system-locale
#确保收集了修改系统强制性访问控制的事件
-w /etc/selinux/ -p wa -p MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
#确保收集了登陆和注销事件
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
#确保收集了会话信息
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
#确保收集了任意访问控制权限修改事件
-a always,exit -F arch=b64 -S chmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod  -S fchmodat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrmovexattr -S fremovxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lrmovexattr -S fremovxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
#确保收集了未成功的未经授权的文件访问尝试
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always.exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
#确保成功收集文件系统挂载
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit- F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
#确保收集了用户的文件删除事件
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
#确保收集对系统管理范围的更改
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
#确保收集了系统管理员操作
-w /var/log/sudo.log -p wa -k actions
#确保收集了内核模块的加载和卸载
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
#确保审核配置不可变
-e 2
EOF

    cat >> /etc/audit/audit.conf << EOF
#审核日志已满时禁用系统
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
#审核日志不会自动删除
max_log_file_action = keep_logs
EOF
    #确保配置了对/etc /ssh /sshd-config的权限
    chown root.root /etc/ssh/sshd_config
    chmod og-rwx /etc/ssh/sshd_config
    #有关ELF格式文件得权限
    chmod 750 /usr/bin/readelf
    chmod og-rwx /boot/grub2/grub.cfg

    #启用对在auditd之前启动得进程审核
    echo -e "GRUB_CMDLINE_LINUX=\"audit=1\"" >> /etc/default/grub

    mv /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem.bak

    #配置时间
    echo -e "OPTIONS = \"-u chrony\"" >> /etc/sysconfig/chronyd
    #邮件传输代理仅设为本地代理
    sed -i "s/inet_interfaces = localhost/inet_interfaces = loopback-only/" /etc/postfix/main.cf
    #确保定期检查文件系统完整性
    #cron_tmp=`crontab -u root -l | grep adie`
    #if [ $cron_tmp != 0 ];then
    #    echo -e "0 5 * * * /usr/bin/aide --config /etc/aide/aide.conf --check" >> /var/spool/cron/root
    #fi

}

function main() {
    install_package
    add_user
    init_security
    init_sys
    change_ssh
    init_log
    stop_server
    init_file
    init 6
}

main
